InfoLaw Update - July 2013 - ICO penalties & fines

A look at some of this month's high profile penalties and fines issued by the ICO.

£200,000 fine against NHS Surrey

The ICO has issued NHS Surrey with a fine of £200,000 after more than 3,000 patient records were found on a second-hand computer bought from an on-line auction site. The patients’ sensitive personal data had been inadvertently left on the computer which had been sold by a data destruction company employed by NHS Surrey. The NHS had contracted with this company since March 2009 to wipe and destroy their old computer equipment. The company carried out this service for free with an agreement that they could sell on any saleable material after the hard drives had been securely destroyed.

In May last year NHS Surrey was contacted by a member of the public who had bought a second hand computer on-line and found that it contained details of patients of NHS Surrey. The computer was found to contain confidential sensitive personal data and HR records of approximately 900 adults and 2,000 children.

NHS Surrey managed to reclaim a further 39 computers sold by the data destruction company. 10 of those were found to have previously belonged to NHS Surrey and 3 still contained sensitive personal data.

The ICO severely criticised NHS Surrey for having no contract in place with their new provider setting out the provider’s legal requirements under the Data Protection Act. It found that NHS Surrey had failed to observe and monitor the data destruction process.

It didn’t help that NHS Surrey couldn’t find the records of the equipment passed for destruction to this company between March 2010 and 10 February 2011. They were only able to confirm that 1,570 computers were processed during that time. The data destruction company was also unable to trace where all of the computers ended up or to confirm how many of them had actually be wiped.

The ICO’s view of the facts of this case were “truly shocking”.

The NHS Commissioning Board, having taken on some of the legal responsibilities of NHS Surrey when it was dissolved in March this year, is required to pay the fine by 22 July or appeal the decision.

If you are a company that has personal data on your computers, it is imperative that you have a watertight contract in place with that data destruction company. The ICO has also produced guidance explaining how old IT equipment can be securely destroyed.

Penalty for nuisance marketing calls

The ICO has fined a Manchester energy company £45,000 for pestering the public with unwanted nuisance marketing calls.

The ICO had initially proposed to issue a fine of £90,000 but having taken into account the company’s financial situation, the fine was reduced to £45,000. The fine was issued against Tameside Energy Services Limited which offers a range of energy efficient re-improvements. Between May 2011 and January 2013 the company was found to be responsible for over 1,000 complaints to the Telephone Preference Service and the ICO. In one case an 80 year old lady complained after still receiving calls from the company despite informing them on 20 separate occasions that they must stop calling her.

Tameside failed to carry out adequate checks to see whether the people they were calling had registered with the TPS. The company has also been issued with an Enforcement Notice requiring them to stop making calls to people who have registered their number with the TPS or have previously notified Tameside that they do not wish to be contacted further.

The ICO has an on-line reporting tool that people can use to give details of any unwanted marketing texts and calls that they receive.